In a PKI, which entity handles identity validation and certificate enrollment before a certificate is issued?

In PKI, identity verification and enrollment are handled by the Registration Authority. The RA is responsible for confirming who is requesting a certificate, validating their identity, and gathering the necessary enrollment data and proofs while enforcing policy. It does not issue certificates itself; instead, once the requester’s identity and information are confirmed, the RA forwards the validated enrollment to the Certificate Authority, which then issues the certificate binding the public key to the verified identity. This separation enhances security by keeping the certificate issuance process with the CA while offloading identity proof and enrollment to the RA. The other options don’t fit because a Key Distribution Center belongs to Kerberos and handles tickets, not certificate issuance, and a Policy Authority isn’t a standard PKI role.